Question

To send some data to a server, Alice needs to first ask a certificate authority about the server's public key. However, Alice knows only one certificate authority, say CA, and she does not know CA's public key. Alice decides to ask CA about CA's public key.

(a) Is this possible if the communication channel between Alice and CA is secure?
(b) Mallory is a man-in-the-middle. What can Mallory do to steal Alice's data?

Answer 1

Alice can safely request the public key from a certificate authority even without initially knowing it, as the public key can be openly shared. However, a man-in-the-middle like Mallory can intercept this exchange and pose as the CA, thus compromising the data by decrypting it with his own key.

Step-by-step explanation:

To answer your question about certificate authority and public keys:

(a) Is it possible for Alice to ask CA about CA's public key if the communication channel between Alice and CA is secure?

Yes, it is possible for Alice to request the public key from CA even if she does not initially know CA's public key. In a secure channel, the initial exchange can still be considered safe from eavesdropping. The CA's public key is usually widely distributed and can be shared openly. Additionally, most systems come preloaded with a list of trusted CA public keys.

(b) What can Mallory do to steal Alice's data as a man-in-the-middle?

If Mallory is a man-in-the-middle, he can intercept the communication between Alice and CA. He could present his own public key to Alice, pretending to be the CA. If Alice unknowingly uses Mallory’s public key to encrypt her data, Mallory could then decrypt the data with his private key and gain access to the information before forwarding it to the server with the correct encryption, thus stealing the data without Alice's knowledge.